Math professor wins landmark crypto ruling

A three-judge panel affirms an earlier decision that U.S. export limits on encryption are unconstitutional.

January 2, 20024:43 PM PST

U.S. export limits on encryption are unconstitutional, the Ninth Circuit Court of Appeals ruled in a precedent-setting decision today.

In a 2-to-1 vote, a federal panel affirmed U.S. District Judge Marilyn
Patel's 1997 landmark ruling in Daniel Bernstein vs. the Justice
Department. That decision states that software source code is a language, and therefore the export controls violate the University of Illinois math professor's First Amendment right.

Bernstein had wanted to post crypto code on his Web site as part of an international course he teaches, but was blocked by a Clinton administration policy regulating software cryptotography as falling within the interests of national security.

Today's loss for the government is no doubt a blow to the administration's policy. Legal experts say the ruling is a huge endorsement for online privacy and essentially applies to anyone who wants to post crypto source code--without a license--from within the Ninth Circuit. Although the opinion doesn't apply to off-the-shelf products, companies
such as Network Associates,
which is based in California, could get regulatory relief, because its
Pretty Good Privacy source code is freely available around the
world.

"We hold that the challenged regulations constitute a prior restraint on speech that offends the First Amendment," states the Ninth Circuit majority opinion by Judge Betty Fletcher. "As a result, Bernstein and other scientists have been effectively chilled from engaging in valuable scientific expression."

When Bernstein sued the government in early 1995, the Clinton administration regulated encryption as a potential weapon, requiring an export license to ship products. The State Department had classified Bernstein's encryption program, dubbed Snuffle, as munitions and said he needed a license to "export" the code via his Web site. This position didn't change even when the Commerce Department began administering the regulations in December 1996.

"We find that the export administration regulations operate as a prepublication licensing scheme that burdens scientific expression, vest boundless discretion in government officials, and lack adequate procedural safeguards," Fletcher wrote in the ruling.

The Justice Department is expected to appeal the ruling to the Supreme Court, in which case the Appeals Court ruling could be stayed. Nonetheless, Bernstein's legal team is celebrating its victory.

"The decision declares that the regulations are unconstitutional, period," said Bernstein's lead attorney, Cindy Cohn.

"As a practical matter, the government is not enjoined from applying its regulations--except to Bernstein. But we're one step closer to doing away with the regulations," she added. "The ruling shows that Justice saw the real reason we are fighting this--this case is about whether you and me and everyone has access to the tools to protect our privacy or not."

Crypto's contentious history
Encryption export limits have been at the center of a contentious debate for years.

On one side are law enforcement officials who say the restrictions are necessary to deter tech-savvy criminals from using the technology to cover their tracks. On the other side are civil liberties advocates who argue that the laws impede speech and global consumers' rights to computer privacy, as well as U.S. software and hardware companies which say the restrictions prevent them from competing with their foreign counterparts.

Bernstein's attorneys argued that source code was a form of speech for programmers, and that he should not be subject to prior review by the government before publishing his ideas. The government countered that source code doesn't express ideas and is simply used to control the operation of a computer.

The Appeals Court today agreed with Bernstein.

"First, it is not at all obvious that the government's view reflects a proper understanding of source code," the ruling stated. "Source code is not meant solely for the computer, but is rather written in a language intended also for human analysis and understanding."

The ruling went on to say that code is used to convey ideas.

"Cryptographers use source code to express their scientific ideas in much the same way that mathematicians use equations or economists use graphs," the opinion stated. "We conclude that encryption software, in its source code form and as employed by those in the field of cryptography, must be viewed as expressive for First Amendment purposes, and thus is entitled to the protections of the prior restraint doctrine."

Judge Thomas Nelson, however, dissented on grounds that Bernstein should never have been allowed to bring the free speech challenge. "The ultimate purpose of encryption code is, as its name suggests, to perform the function of encrypting messages?it is inherently a functional device."

White House reproached
What struck legal and privacy advocates today was the sentiment of the ruling. The opinion took on the entire White House policy, saying it was "retarding the progress of the flourishing science of cryptography." Moreover, the ruling addressed encryption's role in protecting privacy in the digital world.

"In this increasingly electronic age, we are all required in our everyday lives to rely on modern technology to communicate with one another. This reliance on electronic communication, however, has brought with it a dramatic diminution in our ability to communicate privately," the ruling stated.

"The court also attacks the entire regulatory structure," he said. "It is important to note, however, that this decision does not apply directly to actual ready-to-run programs. But the tone of it is that crypto applies to the social protection of privacy."

Added Marc Rotenberg, executive director of the Electronic Privacy Information Center, which filed a friend-of-court brief in the case: "This is the leading case right now in the United States on the right to use encryption. It provides a powerful and far-reaching rationale in supporting privacy and the right to use encryption."

Supporters of legislative efforts such as the Security and
Freedom through Encryption Act (SAFE), which would cut the red tape for
U.S. companies that want to sell strong encryption overseas, also cheered
today's ruling.

"This decision demonstrates the judicial branch's understanding of the
encryption debate," Rep. Anna
Eshoo (D-California) said in a statement. "Now is the time for Congress
and the administration to follow suit. This means passing and signing into
law the SAFE Act."